Turning off your Bluetooth and Wi-Fi radios when you’re not using them is good security practice (not to mention good for your battery usage). When you consider Bluetooth’s known vulnerabilities, it’s especially important to make sure your Bluetooth and Wi-Fi settings are doing what you want them to. The iPhone’s newest operating system, however, makes it harder for users to control these settings.

On an iPhone, users might instinctively swipe up to open Control Center and toggle Wi-Fi and Bluetooth off from the quick settings. Each icon switches from blue to gray, leading a user to reasonably believe they have been turned off—in other words, fully disabled. In iOS 10, that was true. However, in iOS 11, the same setting change no longer actually turns Wi-Fi or Bluetooth “off.”

Instead, what actually happens in iOS 11 when you toggle your quick settings to “off” is that the phone will disconnect from Wi-Fi networks and some devices, but remain on for Apple services. Location Services is still enabled, Apple devices (like Apple Watch and Pencil) stay connected, and services such as Handoff and Instant Hotspot stay on. Apple’s UI fails to even attempt to communicate these exceptions to its users.

It gets even worse. When you toggle these settings in the Control Center to what is best described as"off-ish," they don’t stay that way. The Wi-Fi will turn back full-on if you drive or walk to a new location. And both Wi-Fi and Bluetooth will turn back on at 5:00 AM. This is not clearly explained to users, nor left to them to choose, which makes security-aware users vulnerable as well.

The only way to turn off the Wi-Fi and Bluetooth radios is to enable Airplane Mode or navigate into Settings and go to the Wi-Fi and Bluetooth sections.

When a phone is designed to behave in a way other than what the UI suggests, it results in both security and privacy problems. A user has no visual or textual clues to understand the device's behavior, which can result in a loss of trust in operating system designers to faithfully communicate what’s going on. Since users rely on the operating system as the bedrock for most security and privacy decisions, no matter what app or connected device they may be using, this trust is fundamental.

In an attempt to keep you connected to Apple devices and services, iOS 11 compromises users' security. Such a loophole in connectivity can potentially leave users open to new attacks. Closing this loophole would not be a hard fix for Apple to make. At a bare minimum, Apple should make the Control Center toggles last until the user flips them back on, rather than overriding the user’s choice early the next morning. It's simply a question of communicating better to users, and giving them control and clarity when they want their settings off—not “off-ish.”

Related Updates

EFF and 57 organizations, including American Civil Liberties Union, R Street, and NAACP, spoke out against warrantless searches of American citizens in a joint letter this week demanding reforms of the so-called “backdoor search” loophole that exists for data collected under Section 702.
The backdoor search loophole allows federal...

Since first appearing on the streets of New York City in 2016, LinkNYC’s free public Wi-Fi kiosks have prompted controversy. The initial version of the kiosks’ privacy policy was particularly invasive: it allowed for LinkNYC to store personal browser history, time spent on a particular website, and lacked clarity...

UPDATE: EFF also opposes H.R. 3548. Like S. 1757, it would expand border surveillance with biometric, drone, and ALPR technologies. The bill, styled the Border Security for America Act, was introduced by Rep. McCaul in July.
EFF opposes a new federal bill that would dramatically expand dragnet biometric...

UPDATE: See our more detailed analysis of this DHS notice.
For some time, the U.S. Department of Homeland Security has been collecting and scrutinizing the social media of certain immigrants and foreign visitors. This chills and deters the free speech and association not just of these immigrants and...

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders...

EFF sent California Gov. Jerry Brown a letter urging him to sign S.B. 31. This bill, authored by Sen. Ricardo Lara, would prevent state and local government in California from assisting the federal government in creating a registry based on religious belief, national origin, or ethnicity.
All too...

In April 2017, Terry Spears shared his story with San Diego’s local public media station KPBS on what it’s like to be listed in the CalGang database. Even though Mr. Spears says he has never been in a gang, it hasn’t stopped law enforcement from harassing him, and he once...

Because the global Internet carries data acrossinternationalborders, police often seek digital evidence stored in another country. To obtain such cross-border data, police generally must gain approval from the government whose territory hosts the data, under an international web of Mutual Legal Assistance Treaties (MLATs).
...